Survival Servers Leaks Personal Data of Over 129,000 Gamers

Person standing in a server room holding a laptop

VPNOverview’s security team earlier this month discovered the personally identifiable information (PII) of thousands of Survival Servers users in a database backup stored improperly in a public bucket. We notified Survival Servers about the leak on June 7.

Survival Servers has confirmed that the breach affects all customers who signed up prior to February 1, 2022. The California-based company hosts and rents private gaming servers.


User Data Exposed in Database Breach

The leaked data includes the full names, email addresses, and IP addresses of 129,087 individuals. It also includes the phone numbers of some customers. The PII was stored alongside receipts of financial transactions.Screenshot of Survival Servers Leak Personally Identifiable Information Total Amount Affected

“I was surprised to find several pieces of easily accessible PII information within the bucket that could be pieced together and misused by ill-intentioned individuals,” cybersecurity expert Mirza Silajdzic, who discovered the exposed data, said.

Screenshot of Survival Servers Leak Personally Identifiable Information Blurred

Screenshot of Survival Servers Leak Transaction Data PII Blurred

According to Survival Servers, the leak was caused by a “public policy rule for Amazon web services (where our off-site backups are stored) that was incorrectly set.”

The company said it took immediate steps to remove the database backup and secure its S3 bucket. To prevent hackers from taking advantage of the leaked data to hack its users, Survival Servers has introduced additional steps to validate users’ logins.


Steam RCON and Server Passwords Leaked

In addition to the leaked PII, our team also discovered unencrypted passwords for Steam’s remote console (RCON) service.

RCON is a protocol created by Valve for third parties to communicate with Steam’s game servers. It allows customers to control a server remotely using a web interface.

Screenshot of Survival Servers Leak RCON Data Including Passwords Blurred

We found administrative passwords and other credentials to unlock each servers.

According to Survival Servers, the passwords can be used to join game sessions and manage servers. Survival Servers user account passwords were also exposed, but were hashed securely.


Timeline

This is a timeline of the Survival Servers breach:

EventDate
Discovered the database backup in an insecure bucket.June 4th, 2022
Discovered PII and details of financial transactions in the database.June 6th, 2022
Reported the breach to Survival Servers.June 7th, 2022
Breach was closed.June 4th, 2022

While we were investigating the breach, we found that haveibeenpwned.com was also conducting its own investigation. As a result, we both reported the leak. According to Survival Servers, the breach was fixed before we contacted them.


Gamers’ PII Exposed

Gamers and gaming companies are frequently targeted by cybercriminals. We have reported on phishing, malware, and DDoS attacks targeting gaming platforms like Discord where millions of gamers congregate. The personal data we found was easily accessible and could be pieced together by malicious individuals to launch attacks and scam users.

“So far, we have no indication that any PII we found has been exploited to target or take advantage of Survival Servers’ users. However, finding things like admin unlocks and passwords for several game servers is risky. Worse yet, personal data about users should not be floating around on an exposed database backup,” Silajdzic noted.

Cyber security researcher
Aaron Phillips is a programmer and cyber security professional working out of Seattle, WA, with 20 years of experience in the tech industry.